[OpenAFS] Authenticating against krb5-only KDC (active directory)
Jacob Gorm Hansen
jg@ioi.dk
Mon, 18 Mar 2002 18:45:12 +0100
On Mon, Mar 18, 2002 at 09:57:42AM -0600, Douglas E. Engert wrote:
> I see you have received many comments on this, but we are doing this now.
> I can use K5 on W2k to authenticate, then a krb524d running on a unix
> box to convert to a K4/AFS token.
>
> This requires two sets of mode. The krb524d uses two sets of keys. It
> decrypts with the K5 key from W2K, ten encrypts the K4/AFS token with the key
> used by AFS in the KeyFile.
I suppose this means krb524d must share knowledge of the key used to encrypt
the K5 token. How, in practice, does one share such a key with active
directory?
> A change we are working on is dropping krb524d and aklog all together, and
> replacing them with a gssklog. This would authenticate using GSSAPI, and
> returns a K4/AFS token. The gssklogd would run on the AFS servers. This could
> then either use the MIT gssapi, or on Windows, could use Martin Rex's GSSAPI
> over SSPI. i.e. the gssklog has no Kerberos source code, using your favorite
> compiled GSSAPI libs.
This sounds much cleaner. How far are you from making this work?
> See ftp://achilles.ctd.anl.gov/pub/kerberos.v5/
> for MIT mods for the aklog, and krb524d
>
> and
> ftp://achilles.ctd.anl.gov/pub/DEE/gsiklog-0.9.tar
> for the gssklog.
I will, thanks,
Jacob